Google has recently addressed a significant security vulnerability in its Gemini CLI tool, which posed a risk of remote code execution in automated workflows.
Impact on Automated Environments
This vulnerability was found in the npm package @google/gemini-cli and the google-github-actions/run-gemini-cli GitHub Action. It primarily affected systems operating in headless environments, such as Continuous Integration and Continuous Deployment (CI/CD) pipelines.
The security advisory highlighted two primary weaknesses: unsafe handling of workspace trust and a flaw in tool allowlisting when the –yolo mode was activated.
Detailed Breakdown of Vulnerabilities
The first issue was related to workspace trust in non-interactive modes. Previous versions of Gemini CLI automatically trusted current workspaces, allowing it to load configuration files and environment variables from the .gemini/ directory without needing user approval. This opened up the potential for malicious actors to execute harmful commands by placing malicious content in that directory.
The second flaw involved tool allowlisting under –yolo mode. Previous versions failed to enforce strict tool restrictions specified in ~/.gemini/settings.json, which could inadvertently permit execution of dangerous commands through prompt injection, especially in environments processing untrusted input.
Security Measures and Recommendations
This vulnerability was particularly concerning for Gemini CLI deployments in headless modes, including numerous GitHub Actions workflows. Google advises all users to reassess the configuration of Gemini CLI in automation pipelines, especially where external contributions can affect files or settings.
Patches are now available for both the @google/gemini-cli and the run-gemini-cli GitHub Action. Users are urged to upgrade to the latest versions immediately. Additionally, Google has implemented a major security change: headless mode will no longer automatically trust workspace folders. Organizations using trusted inputs must now explicitly configure GEMINI_TRUST_WORKSPACE: ‘true’.
Future Outlook and Security Awareness
This incident, reported by Elad Meged of Novee Security and Dan Lisichkin of Pillar Security, underscores the growing risks associated with AI-driven developer tools. When automation and shell access intersect with untrusted inputs, policy gaps can become critical vulnerabilities.
Users are encouraged to follow Google’s hardening guidelines and carefully evaluate allowed tools and command execution settings to mitigate future risks.
